-
Notifications
You must be signed in to change notification settings - Fork 0
feat: Bus coverage + media testing #49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
6d2093b
2847664
f3cf331
8ad2797
5a77cfc
fbc4638
d35d82f
15a6925
ce4ba01
56a9d02
fb62c2c
04ff286
448d310
ad741e5
bc41498
becbeeb
03b6cc9
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,15 @@ | ||||||||||||||||||||||||||||||||
| name: Build Tests | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| on: | ||||||||||||||||||||||||||||||||
| pull_request: | ||||||||||||||||||||||||||||||||
| branches: [dev, master, main] | ||||||||||||||||||||||||||||||||
| workflow_dispatch: | ||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||||||||||||
| build: | ||||||||||||||||||||||||||||||||
| uses: OpenVoiceOS/gh-automations/.github/workflows/build-tests.yml@dev | ||||||||||||||||||||||||||||||||
| secrets: inherit | ||||||||||||||||||||||||||||||||
| with: | ||||||||||||||||||||||||||||||||
| python_versions: '["3.10", "3.11", "3.12", "3.13", "3.14"]' | ||||||||||||||||||||||||||||||||
| install_extras: 'audio,pydantic' | ||||||||||||||||||||||||||||||||
| test_path: 'test/unittests/' | ||||||||||||||||||||||||||||||||
|
Comment on lines
+10
to
+15
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
Copilot AutofixAI 4 months ago In general, the fix is to add an explicit The best, least intrusive fix here is to add a top-level permissions:
contents: readafter the
Suggested changeset
1
.github/workflows/build-tests.yml
Copilot is powered by AI and may make mistakes. Always verify output.
Refresh and try again.
Comment on lines
+3
to
+15
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Add explicit This workflow currently relies on default token scopes. Please define least-privilege permissions explicitly to reduce token exposure. Suggested fix on:
pull_request:
branches: [dev, master, main]
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
build:🧰 Tools🪛 GitHub Check: CodeQL[warning] 10-15: Workflow does not contain permissions 🤖 Prompt for AI Agents |
||||||||||||||||||||||||||||||||
This file was deleted.
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,20 +1,20 @@ | ||
| name: Run Tests | ||
| name: Coverage Pages | ||
| on: | ||
| pull_request: | ||
| push: | ||
| branches: | ||
| - dev | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| pull-requests: write | ||
| contents: read | ||
| contents: write | ||
|
|
||
| jobs: | ||
| unit_tests: | ||
| coverage_pages: | ||
| uses: OpenVoiceOS/gh-automations/.github/workflows/coverage.yml@dev | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🌐 Web query:
💡 Result: Best practice: prefer immutable refs (commit SHA) over mutable refs (branches)1) If the reusable workflow is in a different repo
Example: jobs:
call:
uses: org/central-workflows/.github/workflows/ci.yml@<FULL_COMMIT_SHA>2) If the reusable workflow is in the same repo
Example: jobs:
call:
uses: ./.github/workflows/ci.yml3) When a branch/tag ref can be acceptable (trade-off)
4) Organization enforcement
Rule of thumb:
Sources: GitHub Docs on reusable workflows/ref resolution [1]; GitHub Well-Architected Actions security recommendation on immutable pinning [2]; GitHub Changelog on SHA-pinning policy enforcement [3]. Pin reusable workflow to a full commit SHA.
Suggested fix- uses: OpenVoiceOS/gh-automations/.github/workflows/coverage.yml@dev
+ uses: OpenVoiceOS/gh-automations/.github/workflows/coverage.yml@<commit-sha>🤖 Prompt for AI Agents |
||
| secrets: inherit | ||
| with: | ||
| python_version: "3.12" | ||
| install_extras: "audio" | ||
| test_path: "test/unittests/" | ||
| coverage_source: "ovoscope" | ||
| install_extras: "audio,pydantic" | ||
| deploy_pages: true | ||
| Original file line number | Diff line number | Diff line change | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,16 @@ | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| name: Code Coverage | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| on: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| pull_request: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| branches: [dev] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| workflow_dispatch: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| jobs: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| coverage: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| uses: OpenVoiceOS/gh-automations/.github/workflows/coverage.yml@dev | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: # Check if the file exists and examine its content around line 10
if [ -f ".github/workflows/coverage.yml" ]; then
echo "=== File exists. Content around line 10: ==="
cat -n .github/workflows/coverage.yml | sed -n '1,20p'
else
echo "File not found"
fiRepository: TigreGotico/ovoscope Length of output: 590 🏁 Script executed: # Check if there are other workflow files using similar patterns
echo "=== Searching for other workflow references to gh-automations ==="
rg "gh-automations" .github/workflows/ -A 1 -B 1Repository: TigreGotico/ovoscope Length of output: 2985 Pin reusable workflow to a commit SHA.
Suggested fix- uses: OpenVoiceOS/gh-automations/.github/workflows/coverage.yml@dev
+ uses: OpenVoiceOS/gh-automations/.github/workflows/coverage.yml@<commit-sha>🧰 Tools🪛 GitHub Check: CodeQL[warning] 10-17: Workflow does not contain permissions 🤖 Prompt for AI Agents |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| secrets: inherit | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| with: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| python_version: '3.11' | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| coverage_source: 'ovoscope' | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| test_path: 'test/unittests/' | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| min_coverage: 0 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+10
to
+16
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
Copilot AutofixAI 4 months ago In general, to fix this class of issue you add a For this specific workflow, the best fix with minimal behavioral change is to define explicit read-only permissions at the workflow level, directly under permissions:
contents: readnear the top (e.g., after
Suggested changeset
1
.github/workflows/coverage.yml
Copilot is powered by AI and may make mistakes. Always verify output.
Refresh and try again.
Comment on lines
+3
to
+16
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Define explicit workflow permissions. This workflow should declare least-privilege Suggested fix on:
pull_request:
branches: [dev]
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
coverage:📝 Committable suggestion
Suggested change
🧰 Tools🪛 GitHub Check: CodeQL[warning] 10-17: Workflow does not contain permissions 🤖 Prompt for AI Agents |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
This file was deleted.
| Original file line number | Diff line number | Diff line change | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,14 @@ | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| name: Lint | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| on: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| pull_request: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| branches: [dev, master, main] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| workflow_dispatch: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| jobs: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| lint: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| uses: OpenVoiceOS/gh-automations/.github/workflows/lint.yml@dev | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: # First, check the structure of the repository
git ls-files | head -20Repository: TigreGotico/ovoscope Length of output: 596 🏁 Script executed: # Read the specific file mentioned in the review
cat -n .github/workflows/lint.ymlRepository: TigreGotico/ovoscope Length of output: 450 🏁 Script executed: # Search for other reusable workflow references in the codebase
find .github/workflows -type f -name "*.yml" -o -name "*.yaml" | xargs grep -l "uses:" | head -10Repository: TigreGotico/ovoscope Length of output: 415 🏁 Script executed: # Check all uses of reusable workflows to see the pattern
find .github/workflows -type f \( -name "*.yml" -o -name "*.yaml" \) | xargs grep "uses:" | grep -E "@(dev|main|v[0-9]|[a-f0-9]{40})"Repository: TigreGotico/ovoscope Length of output: 1478 🌐 Web query:
💡 Result: Best practices: reusable workflows + mutable refs (branch/tag) vs commit SHAs
Sources[1] GitHub Docs — Reusing workflows (reusable workflows can be referenced by SHA, tag, or branch; SHA ensures same YAML) Use an immutable pin for the reusable lint workflow.
Suggested fix- uses: OpenVoiceOS/gh-automations/.github/workflows/lint.yml@dev
+ uses: OpenVoiceOS/gh-automations/.github/workflows/lint.yml@<commit-sha>Note: This pattern appears across multiple workflows (build-tests, coverage, downstream-check, license-check, pip-audit, publish-stable, release-preview, release-workflow, and repo-health). Consider updating all references to commit SHAs for consistency. 🧰 Tools🪛 GitHub Check: CodeQL[warning] 10-14: Workflow does not contain permissions 🤖 Prompt for AI Agents |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| secrets: inherit | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| with: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ruff: true | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| pre_commit: false # set true if .pre-commit-config.yaml exists | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Comment on lines
+10
to
+14
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}
Copilot AutofixAI 4 months ago In general, the fix is to explicitly define a The least intrusive and clearest fix is to add a permissions:
contents: readThis ensures the
Suggested changeset
1
.github/workflows/lint.yml
Copilot is powered by AI and may make mistakes. Always verify output.
Refresh and try again.
Comment on lines
+3
to
+14
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Add explicit least-privilege permissions. Please define Suggested fix on:
pull_request:
branches: [dev, master, main]
workflow_dispatch:
+permissions:
+ contents: read
+
jobs:
lint:📝 Committable suggestion
Suggested change
🧰 Tools🪛 GitHub Check: CodeQL[warning] 10-14: Workflow does not contain permissions 🤖 Prompt for AI Agents |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,10 +1,13 @@ | ||
| name: Repo Health | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: [dev] | ||
| branches: [dev, master, main] | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| repo_health: | ||
| uses: OpenVoiceOS/gh-automations/.github/workflows/repo-health.yml@dev | ||
| secrets: inherit | ||
| with: | ||
| version_file: 'ovoscope/version.py' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/build-tests.yml | head -20Repository: TigreGotico/ovoscope
Length of output: 524
Pin reusable workflow to an immutable ref.
Using
@devis mutable and can change behavior unexpectedly across runs. Pin to a commit SHA for reproducibility and supply-chain safety.Suggested fix
🧰 Tools
🪛 GitHub Check: CodeQL
[warning] 10-15: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{}}
🤖 Prompt for AI Agents